Working with cryptocurrencies is exciting for many reasons. Being on the cutting edge of financial technology, championing an ideology of decentralization, all the while making exorbitant amounts of money. It should come as no surprise that users are primed into a state of optimism and risk seeking, perfectly placed to fall prey to social engineering tactics.
Between lookalike phishing attacks, trust-trading scams, exit-scams, and malware masked as a new startup, it seems as if we have a big red flag over us screaming for evil-doers to join in on the fun.
This post explores some of the reasons why the crypto industry has been and continues to be particularly susceptible to these attacks.
- Crypto users are inherently opportunistic and risk seeking.
- Crypto is full of finance, economics, and game theory jargon, making it hard to discern fact from fiction.
- Crypto payments are fast, irreversible, private, and lack many of the security controls commonplace in fiat transactions.
- Crypto scams offer immediate monetization, making it a highly attractive target for scammers.
- Businesses need to take proactive steps to identify and respond to scams targeting their brand.
Crypto users are seeking high risk opportunities
We can all agree that the most popular reason for getting into crypto is the potential to make some quick, easy money. The opportunity to make financial returns previously reserved only for casinos, while being built by visionaries and PhD graduates, is all too tempting for your average consumer. This thinking ultimately led to the ICO boom.
Despite that particular craze being mostly over, crypto-users are now aware of the gains that first movers can make and eagerly seek out the next big thing. It’s easy to see how this mentality could make one prone to neglecting to perform a responsible amount of due diligence.
Crypto has a steep learning curve
The challenge of entering crypto isn’t only a technological one. We’re faced with deciphering an increasingly complex world of economics, financial tools, and game theory. DeFi has forced us to learn about niche topics like collateralized debt positions, flash loans, and staking. It’s easy to see how newcomers might be overwhelmed by the immense amount of knowledge required to safely navigate through the space.
While user-education is typically touted as the main defense against scams and phishing, and to some degree it certainly is, in a quick moving space like crypto it’s easy to see how your average user can fall behind.
Crypto is a superior payment method
One of the main regulatory issues that the crypto community has had to dispel is its potential for facilitating illegal activity. Of course simply using crypto does not prove shady behavior, but it’s hard to argue with the fact that if one were a criminal, crypto seems like a fairly good medium of exchange.
Opening up a new wallet typically takes seconds, is free, and available to anyone. This is already hugely advantageous. Transactions are fast, irreversible, and face a minimal amount of scrutiny compared to dealing with banks or traditional payment processors.
That’s not to say this won’t change in the future. We’ve already seen how an immutable history of exchanges has come to bite some people years later, such as early Silk Road users being traced down years later.
Exchanges and wallets are also beginning to take steps to integrate more security controls into their products, establishing blacklists of addresses and improving their fraud detection systems. However, isn’t limiting who you can and can’t send your funds to contrary to a commonly held value in the crypto world of censorship resistance?
Monetizing attacks is simple
An often underappreciated hurdle in the world of cybercriminals is the step of monetizing a hack. Imagine this - you’ve gone through all the effort of compromising a local municipality website. You’ve got access to personal information, an insight into sensitive information about upcoming events, you even have the ability to deface their systems. How exactly would you turn any of that into money to pay your rent?
While having your private data stolen might feel like a massive invasion of privacy, depending on the type of data, it can be relatively difficult to turn this data into a financial reward for a hacker. That’s why the person who steals the data is often not the same person who uses the data, with forums existing in dark parts of the internet for criminals to purchase and sell stolen data at a low cost, in a gamble to turn the data into something monetizable.
For crypto hackers, this problem doesn’t exist in the same way. Hackers are interacting directly with magical-internet-money, meaning that attacks are automatically financially lucrative.
How to Stop Crypto Scams
Like most problems in security, there isn’t a single solution, a metaphorical silver bullet. Rather, a security in-depth approach needs to be taken, with multiple layers of defense used to thwart these attacks at every step of the way, making attacks as expensive as possible for would-be scammers.
The systemic issue is that of a mismatch of information, whether it’s about the authenticity of a user’s identity, what’s technologically possible, or the legitimacy of a service being offered. This is generally where user-education comes into the picture.
Educated users are better armed to identify and avoid these attacks. However, consider how effective this approach has been in the web 2.0 space. Despite email phishing being used as a primary method of compromising users, and user education being touted as a primary defense against it, to this day it’s still seen as one of the most effective general attack vectors.
This raises the point that businesses should be taking proactive steps to protect themselves and their users against scams.
In order to do this, businesses need to actively seek out these scams and respond to them before the scams reach their users. If a takedown is achieved before being widely distributed, the number of successful attacks is lowered, effectively requiring an attacker to spend more time and money in order to achieve results. Once a certain threshold is reached the business becomes an unattractive target and attackers will move to a new target. This is the concept of having a higher wall than your neighbor.
Cybercriminals will always exist, so the best strategy is to avoid being a high value target. And if you can’t avoid being a high value target, at least make yourself hard to target.
PhishFort offers a comprehensive solution to help businesses protect their brands from scams and phishing. We take out the hard work of building custom monitoring and response systems, hiring specialized resources, and siphoning through false-positives. Get in touch to hear how we can help you.